Basic Authentication - asp.net

I have one VS application named Dotnetpanel, which provides a lot of webservices.
I created another another VS application say TestModule in which I need to create the webservice client. But when I try to create a client and call the webservice in TestModule, an error occured"The request failed with HTTP status 401: Unauthorized." From one of articles I have read that
DotNetPanel API implemented as a set of SOAP Web Services.
Requirements:
WSE 3.0 or Basic Authentication
****Each API call should have user’s credentials provided****
Basic Authentication:
For interacting with DotNetPanel API you should use Basic Authentication. DotNetPanel recognizes “Authorization” header with the user credentials provided in the following format: username:password.
So my question is I have a user credentials which can pass to the TestModule and after that how can I call the DotnetPanel webservices from the TestModule with Basic Authentication.
Regards
Fenix

Sounds to me that you have to send those credentials as a parameter to the web service.
Try to call the web service url to see its methods. When calling to the web service directly from the browser, you have to be able to see a list of methods, then search for the method you're trying to use and click on it. You'll see the SOAP request and response definitions. You can take a look at what parameters is the web service expecting. I think if it asks you for credentials, there has to be a couple of param for that there.
Hope it helps.

Related

Token authentication and authorisation for a self-hosted ASP.NET Web API 2 REST service

I'm using VS2013 and Web API 2 to create a self-hosted (using OWIN), RESTful service over SSL using token authentication. Although I'm not a novice developer, this is my first time looking at ASP.NET technologies, so please keep that in mind.
I've got everything more-or-less working except for the authentication and authorisation parts. I fully understand the difference of authenticating a user (who is this user?) and authorising an already authenticated user to access a resource (can this user access this particular resource?).
A very simple overview of my auth process is as follows (makes some assumptions for brevity):
An unknown client connects to the API, e.g. GET api/values.
The server responds with a 401 and this response header: "WWW-Authenticate: Token".
Upon seeing this, the unknown client knows to connect to a different API endpoint here: POST api/auth (routed to the Login function), supplying the username and password.
The server will try to figure out if this is a valid user and can accept or reject the user depending on the validity of the credentials.
(Rejected) The server returns an error status code (403?). End of process.
(Accepted) The server creates a random token (e.g. a GUID) and stores it against the user record. Then it sends the token to the client.
The now authenticated client reconnects to the API, GET api/values, and this time also supplies the token.
The user returns the resource data to the client.
...
The user can log out by connecting to the same API as he used to log in: POST api/auth (this time, his request will be routed to the Logout function). This will remove the token from the server and the client will also have to remove its own token.
As you can see, this is a relatively simple process, but I can't find any concrete and simple examples to understand how best to achieve this with a self-hosted Web API 2.
I don't need to register users or do any password/roles management, etc. and there is no external authentication. All valid users have the same rights to access the resources and they're already created in the system by a separate process over which I have no control (I can only read their credentials for validation). Most examples I found are talking about security frameworks that I don't need, so I've ruled out using any of the following: Basic Authentication, Windows Authentication, Forms Authentication, Individual Accounts, ASP.NET Membership/Identity, OAuth, Thinktecture or any other security framework.
I've read articles about authenticating in a message handler and others about authentication in a custom Authorize attribute filter, while others even suggest I should use the new (in Web API 2) IAuthenticateFilter attribute. This is very confusing. Can you please advise on a very simple way to achieve my auth objectives? Any specific code examples will be greatly appreciated, even if they're just skeleton implementation or pseudocode. I just need some ideas to get me started.
After a lot of googling, I found this article on CodeProject: http://www.codeproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API. While this is not Web API 2 or self-hosted, it has given me a number of ideas on how to proceed.
Someone also posted a comment to that CodeProject article referencing a NuGet package that may interest anyone looking for something similar: https://www.nuget.org/packages/WebApiTokenAuth. In my case, it is a bit much.
Finally, in addition to the authentication options mentioned in the question, there's also the option to write an OWIN middleware to do authentication if self-hosting using OWIN (as per the official MS recommendation). However, I plan to implement this particular form of token authentication with a message handler, as there's more support for this method available than for writing OWIN middleware.

security with asp.net mvc 4 web api

I've created my first mvc 4 project using the web api template. I've configured CORS to restrict other sites from accessing my api directly into other websites. I use ajax to retrieve the data supplied by the api into a web page and that works well.
The address to my web api is http://www.xyz.com/webapi/ one of the actions is http://www.xyz.com/webapi/api/sales How can I prevent anyone from accessing /webapi and /webapi/api/sales and using the data (screen scraping) for their own use. I do not want any other service browser accessing the web api, just the ajax query that is present on another website that I've set up.
Thanks in advance!
Approach 1 - Get a Bearer Token
You could implement this - Individual Accounts in ASP.NET Web API
Here in this tutorial, the controllers are marked with [Authorize] and the following steps are followed.
Register a User
Authenticate and Get a Bearer Token
Send an Authorized Request
Approach 2 - Use a private API Key
You could use an api key with each of your web api calls and check on server side if the api key is valid if not return 401, Unauthorized. This api key could be saved in your web.config file.

OWIN AuthorizeEndpoint with redirect_uri different than uri of web api

I am successfully using bearer token authentication for asp.net web API as is demonstrated in the default single page application template. But now I want to use the same web API from a different site (a different url).
When I make a request to web API AuthorizeEndpoint(by default /api/Account/ExternalLogin) from different site, I get error: invalid_request. I guess the problem is in the redirect_uri value, since changing that to value of site running on same domain as web api resolves the problem.
ValidateClientRedirectUri method in application OAuthAuthorizationServerProvider doesn't get fired. So based on my search in Katana source the error origin is in OAuthAuthorizationServerHandler.InvokeAuthorizeEndpointAsync.
Does anyone else have the same problems or am I doing something wrong?
The Katana OAuth middleware is not designed to be cross application - it is mainly for "embedding" an OAuth authorization server into the business resource.
If you want a proper (free) authorization server - have a look here:
https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki
The bearer token appears to be a hash into an claims hash, which is local to your application.
We are using a jwt token with a separate validate handler. Works cross application.
Still looking for a better way but for now it works.

Pass ADFS Token in WebClient Call

I am using ADFS 2.0 and WIF to authenticate and authorize my users to an ASP.Net MVC 4 application, WebAppA. WebAppA uses WebClient.DownloadString(url) to call another WebAppB and I would like to pass the delegated user's credentials to WebAppB to retrieve customized content for the user.
I see several examples of a web application calling a WCF service using CreateChannelActingAs, but this is not quite my situation.
Is there a way for WebAppA to retrieve the ActAs (or OnBehalfOf?) token for WebAppB and pass it with WebClient to WebAppB? I have seen a few possibilities, including the "bearer" Authorization header and inserting a cookie into the headers, but I don't quite understand these examples and it seems like something's missing, like how to use the BootstrapContext from WebAppA to retrieve and serialize the token for WebAppB.
Thanks for any help!
--Mark
Yes, you could have WebAppA call the STS and request an ActAs token for WebAppB, using the original token (the one intended for WebAppA) as the input, but this is normally used for web services (and it might be overkill). Looks like you are just GET'ing a page from WebAppB. Why not just use basic auth, SSL and pass a parameter of the user making the request? (in essence using a trusted subsystem approach).

How to protect a WCF Rest service with username and password?

I'm new in WCF and I want to know how can I protect a WCF Rest service.
I have an asp.net website, only registered users can access it, the application uses a service hosted on the same IIS server, my question is, how can I restrict the use of this service, for that only registered users may use it, knowing that the service can be used by many clients (Android, iPhone, ...). what type of authentication I can use? to test the service I created a winform and I use an HttpWebRequest.
PS: I cant use https.
Thanks
Simplest way is to use asp.net compatibility mode. The WCF service call will result in the same preprocessing used for ASP.NET pages, including checking the ASP.NET auth and session cookies. You will also be able to check HttpContext, including httpcontext.current.user.identity.isauthenticated. If the user is not authenticated, throw an exception or return an error code. Here is some more information: http://msdn.microsoft.com/en-us/library/aa702682.aspx.
So if you are already using forms auth for your application, and the service should be called after a user has logged in to your application, you are set.
You can also create an authentication service. The service will allow the client to send a username / password, and will use ASP.NET authentication to authenticate the user. It will send back an auth cookie, and then you can check future service calls as above. See http://msdn.microsoft.com/en-us/library/bb386582.aspx.
I believe the authentication service can called using json. See How to Call .NET AuthenticationService from json client without ASP.NET.

Resources